Re: Debian mirrors and MITM
On Sat, May 31, 2014 at 12:11:28AM +1000, Alfie John wrote:
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
. keeps an adversary who may be listening on the wire from
looking at what you are installing. who cares what you are
installing? well it turns out that is very interesting
information. If you can see that I've just installed X
package, and you then just look over at our security tracker
and find that this package has an exploit...
It's only metadata, so who cares right? Only kidding. This is a totally
legitimate scenario which I didn't think of. Nice.
So your solution to adding privacy is to make sure that every debian
system checks in with debian directly rather than using a distributed
infrastructure? I'd suggest looking at apt-transport-tor instead.